Category: Security

Jan 28 2016

LG closes data-theft hole affecting millions of G3 smartphones


LG is closing a security hole that makes it possible for attackers to steal chat histories and other sensitive data stored on an estimated 10 million G3 phones.

The vulnerability resides in an LG app called Smart Notice. It comes preinstalled on new LG G3 devices and displays a variety of notifications and suggestions, including recommendations to stay in touch with favorite contacts, saving recent callers' contact information, and birthday reminders. The app fails to validate data presented to users, making it possible for attackers to manipulate data such as contact information so that it executes malicious code on affected handsets.

"Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user; and enable the installation of a malicious program on the device," researchers wrote in a blog post published Thursday. "We informed LG, which responded quickly to notice of the vulnerability and we encourage users to immediately upgrade their application to new Smart Notice release, which contains a patch."

Read 4 remaining paragraphs | Comments

Jan 27 2016

Oracle deprecates the Java browser plugin, prepares for its demise

The much-maligned Java browser plugin, source of so many security flaws over the years, is to be killed off by Oracle. It will not be mourned.

Oracle, which acquired Java as part of its 2010 purchase of Sun Microsystems, has announced that the plugin will be deprecated in the next release of Java, version 9, which is currently available as an early access beta. A future release will remove it entirely.

Of course, Oracle's move is arguably a day late and a dollar short. Chrome started deprecating browser plugins last April, with Firefox announcing similar plans in October. Microsoft's new Edge browser also lacks any support for plugins. Taken together, it doesn't really matter much what Oracle does: even if the company continued developing and supporting its plugin, the browser vendors themselves were making it an irrelevance. Only Internet Explorer 11, itself a legacy browser that's receiving only security fixes, is set to offer any continued plugin support.

Read 1 remaining paragraphs | Comments

Jan 27 2016

Cisco Releases Security Update

Original release date: January 27, 2016

Cisco has released a security update to address a vulnerability in the web-based management interface of Cisco RV220W Wireless Network Security Firewall devices. Exploitation of this vulnerability could allow a remote attacker to take control of an affected device.

Users and administrators are encouraged to review the Cisco Security Advisory and US-CERT's tip on Securing Your Home Network and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Jan 27 2016

PayPal Remote Code Execution Vulnerability Patched

So this is a big one, and thankfully this PayPal Remote Code Execution Vulnerability was discovered by security researchers and not the bad guys. Although there’s no way for us to know if someone has been using this to siphon data out of PayPal for some time before the whitehats found it. It’s a roundabout [...] The post PayPal Remote...

Read the full post at